On November 28th, The Department of Health and Human Services (HHS) sent out an alert about a phishing campaign they discovered to be targeting employees of HIPAA-covered entities and their business associates.
The fake emails were mocked up to appear like they were from the Office for Civil Rights (OCR), with official looking letterhead under a signature of OCR Director Jocelyn Samuels. The recipients were prompted to click a link regarding their inclusion in the OCR’s auditing program, but instead, the link redirected them to a website that marketed a private cybersecurity service. This website was not affiliated with the government at all and has since been taken down.
It is quite ironic that they were hit by this phishing scam at the same times that the ORC was conducting an audit of the healthcare industry. The audit, which was designed to gather information on security breaches and the most prominent cyber risk factors, was meant to provide guidance to the industry on how to stop future attacks, most of which are known to come from phishing scams in the first place.
In 2011, the OCR began the Privacy, Security, and Breach Rules Audit Program began when they saw how many major cyber attacks were happening in the healthcare sector. In the past year alone, cyber attacks like these have increased by 300 percent, so, as Jocelyn Samuels says the OCR is, “really focused on cyber security threats to electronic protected health information.”
In 2016, the second phase of the program selected a total of 250 healthcare institutions to take part in the audit. In addition to the entities covered in the first phase, they also began to audit a range of business associates of these entities. As they say on their site, “every covered entity and business associate is eligible for an audit.” The OCR thought that the more institutions they audited, the more information they would have on security breaches, and therefore, the more they could glean from that information.
Additionally, as a part of the audit, these institutions were required to fill out a questionnaire that asked specific questions about their electronic files, their financial status, and other detailed documents. All of this information had to be submitted digitally (along with detailed information on specific aspects of their HIPAA compliance) within 10 days of receiving the request.
So, there was a lot of information about these institutions was traveling through emails. There’s also a good chance that a lot of these phishing emails were opened, and a lot of the links were clicked. Knowing that a majority of malware and ransomware comes from phishing emails, it seems counter-intuitive for the OCR to send massive amounts of security information in such an insecure manner. As privacy attorney, Adam Greene of the law firm Davis Wright Tremaine said, “the OCR’s decision to contact covered entities and business associates via email and confirm contact information has pros and cons….there have been concerns from the start that the use of email could lead to phishing attempts such as this.”
It is well known that the easiest way for cybercriminals to breach networks and steal information has been through the use of spam, phishing messages, and email attachments. The malware that these cyber criminals infect networks with, can be downloaded onto their computers the moment a user clicks on the malicious link or opens a bad attachment.
Luckily, these phishing emails were only a part of a marketing scheme, they were not meant to steal information or money. The link pointed to “http://www.hhs-gov.us,” which looks very similar to the correct “.gov” address, but is actually a “.us” address, which anyone can buy. The sender also used the email address “OSOCRAudit@hhs-gov.us, “ which also looks very similar to the real email address for the HIPAA audit program, which is “OSOCRAudit@hhs.gov.” It would be very easy for the recipients to mistake the two on first glance.
When the OCR found out about the scam, they immediately sent out an alert, which was warned any recipients that the cyber security web page was not affiliated with the OCR in any way. “In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights,” OCR Director Jocelyn Samuels says in the alert. “We take the unauthorized use of this material by this firm very seriously.”
It could have been a lot worse, especially considering that, for some reason, the OCR’s emails were being sent directly to the spam folder. So, before they sent hundreds of emails, they had to tell all HIPAA institutions to check their spam folders for the email. As the HHS says on their site, “If your entity’s spam filtering and virus protection are automatically enabled, we expect you to check your junk or spam email folder for emails from OCR.” Many security experts called the OCR out on this method since they were announcing their intentions, which means they were setting themselves up the be the victims of phishing campaigns.
All it took was one cyber criminal to see that the OCR was conducting this audit through emails. It is not hard to imagine how easy it was for cyber criminals to take advantage of the OCR for this mistake. This method guaranteed that a lot of these emails would be opened.
“There is a long sad history of scammers pretending to be government officials,” Holtzman notes. “That’s the point – you open something you are expecting.”
What the OCR Suggests
There are a few things that the OCR suggests to victims of phishing attacks. First, it is very important to carefully scrutinize any email, no matter who it comes from. Also, do not download any attachments from unknown senders and do not click on any links without checking them first.
The easiest way to check a link is to hover over it (without actually clicking it). A URL should pop up somewhere, and if it looks suspicious, don’t click it. Instead, type the URL into the address bar, or send it to the IT person in your company.
“Usually, a little digging can tell you if it is legitimate. The problems happen when people respond without doing any checking,” Privacy attorney Kirk Nahra of the law firm Wiley Rein said in an interview. “Since you will only be getting – at most – one OCR email [for a real audit notification], it is pretty easy to check.”